CEOs lack confidence in their firm’s ability to avert cyber attacks: Report

Nearly three-quarters (74%) of CEOs are concerned about their organisations’ ability to avert or minimise damage to the business from a cyber-attack, according to a new report from global IT consulting firm Accenture published on Thursday, which also showed that more than half (54%) of CEOs are under the assumption that the cost of implementing cybersecurity is higher than the cost of suffering a cyber-attack. 

The report, titled “The Cyber-Resilient CEO,” and based on a survey of over 1,000 CEOs from large organisations globally, also noted that 60% of CEOs said their organisations don’t incorporate cybersecurity into business strategies, services, or products from the outset, and more than four in 10 (44%) believe that cybersecurity requires episodic intervention rather than ongoing attention. 

Moreover, only 15% have dedicated board meetings for discussing cybersecurity issues. This disconnect might be explained by the fact that the vast majority (91%) of CEOs said cybersecurity is a technical function that is the responsibility of the CIO or chief information security officer. 

The report also suggests that generative AI holds is posing new challenges in cyber that was not seen before. Nearly two-thirds (64%) of CEOs surveyed said that cybercriminals could use generative AI to create sophisticated and hard-to-detect cyber-attacks, such as phishing scams, social engineering attacks, and automated hacks. 

Paolo Dal Cin, global lead of Accenture Security, said, “Unfortunately, it is often only after they experience a material cyber incident that they elevate cybersecurity to a board-level and C-suite priority and expand expectations beyond technology functions to better protect their organisations. Integrating cybersecurity risk into an enterprise risk management framework is the key to ensuring better security, regulatory compliance, business protection and customer trust.” 

The research identifies those CEOs who excel at cyber resilience and accounts for 5% of respondents—uses a wider lens to assess cybersecurity across all aspects of their organisations. As a result, their breach costs are considerably lower and financial performance significantly better than the rest, achieving 16% higher incremental revenue growth, 21% more cost-reduction improvements, and 19% healthier balance-sheet improvements, on average. 

For example, cyber- resilient CEOs are far more likely adopt shared accountability across the C-suite, inspiring executives to champion cybersecurity as a competitive differentiator that accelerates innovation safely and work closely with their CISOs to assess and manage the risks of generative AI, ensuring that the technology is used safely and effectively. 

In this regard, Jeff Pollard, VP, Principal Analyst, Forrester noted in his blog published in February 2023 that CISOs elevated in the organisation who report to the CEO run better cybersecurity programs. “Security matters now more than ever, making this the perfect time to think about a change in reporting structure. IT should also support this change, because our recent research shows that great technology organisations need great security organisations,” he said, adding that this will help them gain more control over the cybersecurity program with increased management responsibility. 

CEOs and their boards must now own cybersecurity. CEOs need to establish the right culture to protect against cyber risk. Boards need to establish cyber as a material business financial risk and need to better understand the potential of its material impact on business, said a McKinsey report. As Thomas Elsner, partner in McKinsey’s Munich office said, tech transformation is an endeavour that requires the entire organization. “Without clear and forceful leadership from the CEO and board, however, such a transformation is simply not possible,” he said.